Share all details about your problem, including any error messages you may have received.
Hello all,
I would like to set up a policy violation for both preventive and detective. The scenario is as below:
I have 4 groups (Apple, Pear, Orange, Banana)
(Detective) If a user has more than one of this groups (e.g. Apple & Banana) in their existing account, a policy violation will be thrown and a work item will be created to notify them
(Preventive) If a user is trying to raise a request to add more than one of these groups to their account (e.g. Apple & Banana) OR already have one existing group (e.g. Pear) while raising request for another (e.g. Orange), an error message is prompted
Will entitlement SOD policy be able to set this up relatively easily? Preferably without writing any rule.
Hi @shijingg , You can create entitlement SOD policy, which will cater your requirement, for existsing account violation, run the refresh task with below option enabled “Check active policies & Keep previous violations”
For new user role submit, it will detect the violation and raise a workitem with request violation
@shijingg Along with Entitlement SOD violation, you need to set the policyScheme in your LCM workflow to make it work with Access Request. Would recommend test out the behaviour in your lower instances with all possible use cases which you have before launching it in Production.
Note: Found a fix? Help the community by marking the comment as solution. Feel free to react(, , etc.) with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
@shijingg You need to add conflicting entitlements in different sets. Let’s say you have 2 entitlements and a user should not have both. then you need add ent1 in first set and ent2 to other set.
If you have more entitlements you need add more policy rules. Like one rule for Ent1 vs Ent2, Ent3, Ent4. 2nd rule for Ent2 vs Ent3, Ent4, and so on.
Note: Found a fix? Help the community by marking the comment as solution. Feel free to react(, , etc.) with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
go to polices, create new policy. In Entitlement Sod Rule, in the first entitlement set Select the application and then Select the First Entitlement set and select either of the attribute/ permission, and then in the second set put the entitlement which from the application and defined the entitlement which it should conflict with. I mean like toxic commbination.
@shijingg You need just one Advanced Policy, but you need to create multiple policy rules.
Note: Found a fix? Help the community by marking the comment as solution. Feel free to react(, , etc.) with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
It is important to identify how one entitlement is considered as conflicting with other entitlements. As per case you mentioned, this can be done with Entitlement SOD Policy.
Configure Entitlement SOD Policy with 3 constraints -
Constraint 1 : Apple vs [Pear, Orange, Banana]
Constraint 2 : Pear vs [Orange, Banana]
Constraint 3 : Orange vs Banana
If conflicting entitlements gets increased, then probably you have to add more constraints. Here no need to write any logic in Rule.
, 
, etc.) with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.